Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Of GPG Collisions and UX Security

Researchers have found a way to generate GPG key collisions in just four seconds, and put out a call for GPG to harden its UX.

Attack and vulnerability details are often disclosed in order to prompt vendors and project maintainers into action. It happened recently with publication of attack code that mimicked the work of Karsten Nohl on BadUSB and tried to nudge Phison Electronics of Taiwan into looking at its USB firmware. It has happened before with Microsoft vulnerabilities where disclosures are made when there’s a perception the vendor is sitting on a vulnerability for too long.

Over the summer, two researchers presented research at DEFCON on GPG collision attacks that resulted in their own call to action: Stay away from 32-bit key IDs in GPG.

Using a tool they built called Scallion, Eric Swanson and Richard Klafter need just four seconds to generate colliding 32-bit key IDs on a GPU.

“Key servers do little verification of uploaded keys and allow keys with colliding 32bit ids,” they wrote in a blogpost in July. “Further, GPG uses 32bit key ids throughout its interface and does not warn you when an operation might apply to multiple keys.”

“The core of GPG’s crypto is 100 percent rock solid,” Swanson said. “However, like a lot of tools, GPG has fairly atrocious UX. When attacking security, it’s almost always best to attack the user. These short key id collisions are a way to do that.”

Swanson and Klafter concluded through their research that they can create a collision for every 32-bit key in the Web of Trust strong set, putting GPG’s longterm viability at risk.

“GPG’s interface has needed an update for a long time. The goal of our project was to further demonstrate this need,” Klafter said. “I am positive there is enough passion for privacy and the GPG project itself that it will get the update it needs.”

Simon Josefsson, a member of the GPG support team, said UX work is up to each application developer.

“I’m sure that all applications that use short keyids should have some kind of thinking happening due to the evil32 issue, but whether it happens or not depends on the authors of the respectively project,” he said.

GPG, short for Gnu Privacy Guard, is a free OpenPGP implementation, and it’s used to encrypt and sign data and communications. In their DEFCON presentation, Swanson and Klafter also disclosed some information on a vulnerability in GPG wherein the recv-key with full fingerprint feature does not verify the received key matches the fingerprint. GPG issued a patch Aug. 29 that mitigates potential man-in-the-middle attacks exploiting this situation. Swanson and Klafter hope the project continues on and addresses the collision issue.

“There are a variety of ways to address this, but most strongly, GPG should switch to using at least 64-bit key IDs by default, and warn you whenever it detects a collision in displayed key
ID (either 32-bit or 64-bit),” Swanson said.

Swanson urges organizations using GPG to be careful with receiving keys, and to use gpg—fingerprint to verify key exchanges. The availability of tools such as Scallion allows for the rapid computation of key IDs, which even on older hardware, can try around 400 million keys per second, he said.

“Despite its interface, GPG is still an excellent piece of software used everywhere from email encryption to software package verification,” Klafter said. “Its encryption is rock solid and I would still recommend GPG over other encryption tools, just make sure to check your full fingerprints.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.